I'm trying to redirect all 5145 events (from WinEventLog:Security) and all Security events from 'SYSTEM' (or another account called digitalsender). I've tried several variations of the entries below, but nothing seems to work.
Here is the relevant parts of my configs..
props.conf
[source::WinEventLog:Security]
TRANSFORMS-null = null_excluded_users, null_excluded_events
transforms.conf
[null_excluded_users]
case_sensitive_match = false
REGEX = (?m)LogName=Security[^$]+(Security ID:(.*)(AUTHORITY\\SYSTEM|digitalsender)|User=(SYSTEM|digitalsender))
DEST_KEY = queue
FORMAT = nullQueue
[null_excluded_events]
case_sensitive_match = false
REGEX = (?m)EventCode=(5145||)
DEST_KEY = queue
FORMAT = nullQueue